GCM, GHASH and Weak Keys
نویسنده
چکیده
The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide single-pass authenticated encryption. The GHASH authentication component of GCM belongs to a class of Wegman-Carter polynomial universal hashes that operate in the field GF (2). GCM uses the same block cipher key K to both encrypt data and to derive the generator H of the authentication polynomial. In present literature, only the trivial weak key H = 0 has been considered. In this note we show that GHASH has much wider classes of weak keys in its 512 multiplicative subgroups, analyze some of their properties, and give experimental results when GCM is used with the AES algorithm.
منابع مشابه
Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes
The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide singlepass authenticated encryption. The GHASH authentication component of GCM belongs to a class of WegmanCarter polynomial hashes that operate in the field GF(2). We present message forgery attacks that are made possible by its extremely smooth-order multiplicative group which splits into 512 subgroups. GCM us...
متن کاملRevisiting MAC Forgeries, Weak Keys and Provable Security of Galois/Counter Mode of Operation
Galois/Counter Mode (GCM) is a block cipher mode of operation widely adopted in many practical applications and standards, such as IEEE 802.1AE and IPsec. We demonstrate that to construct successful forgeries of GCM-like polynomial-based MAC schemes, hash collisions are not necessarily required and any polynomials could be used in the attacks, which removes the restrictions of attacks previousl...
متن کاملHigh Speed VLSI Architecture for AES-Galois/Counter Mode
Galois/Counter Mode of Operation (GCM) is a block cipher mode operation used to provide encryption and authentication using universal Hashing based on multiplication over binary Galois/Finite Field.GCM can be implemented on both hardware and software effectively and efficiently. GCM supports pipelined and parallelized implementations to have minimal computational latency in order to be useful a...
متن کاملTwisted Polynomials and Forgery Attacks on GCM
Polynomial hashing as an instantiation of universal hashing is a widely employed method for the construction of MACs and authenticated encryption (AE) schemes, the ubiquitous GCM being a prominent example. It is also used in recent AE proposals within the CAESAR competition which aim at providing nonce misuse resistance, such as POET. The algebraic structure of polynomial hashing has given rise...
متن کاملFlexible and Efficient Message Authentication in Hardware and Software
We present the Galois Message Authentication Code (GMAC), a generic construction based on universal hashing using multiplication in the finite field GF (2). We also present GCM, a block cipher mode of operation that provides both encryption and message integrity in a single primitive, and is based on GMAC. The inherent parallelism in our constructs enable hardware implementations to achieve spe...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2011 شماره
صفحات -
تاریخ انتشار 2011